Gartner Blog Network

Gartner Catalyst 2012: Is the mobile hypervisor the right BYOD approach?

by Gunnar Berger  |  August 7, 2012  |  31 Comments

It’s just two weeks until the Gartner’s Catalyst Conference and I’ve been busying myself with my presentation decks for my different sessions. One session that I find very interesting is a vendor debate I’m moderating between Citrix and VMware. First off I think its amazing that we could get these two vendors to be in the same room together, let alone be on stage together directly debating. My job in this debate is to generate conversation between these company’s very different approaches to this market.  How different are they? Well VMware is is taking a mobile device management (MDM) approach while Citrix is taking a mobile application management (MAM) approach. 

I’ve been attempting to start the debate up early on twitter (@gunnarwb) to see what others think about this market. So far Tal Klein (@VirtualTal) “Senior Director of Products at Bromium”  is the first to comment.

In response to a tweet talking about Divide, Tal has one comment:


I joined the conversation and stated that I find the solution interesting because unlike VMware’s solution, the Divide solution is not a hypervisor which I highly doubt will ever be allowed on iOS. To this Tal responds:

“Horizon Mobile is equally useless. People don’t think my stuff here/work stuff there.”

I’ve had enough conversations with Tal to know he is against any approach where the end user notices something IT has done. I reached out to him directly and he gave me this response:

“In the dual persona use case, IT is forcing end-users who don’t have multiple personalities to adopt multiple personalities. This is not holistic and forces people to work in a different context because IT says so with no added benefit to the end-user. It’s contrary to how we interact with our computing devices, especially phones and thus destined to fail.”

Tal hits on one of the differences between the Citrix and VMware approaches. In the Citrix approach your business apps will sit side by side with your personal apps. In the VMware approach they are completely separate environments.

  • The completely separate environments approach has some benefits, such as the ability to completely remote wipe the business side of the device. Businesses could also play for a phone/data plan that is only used if you are on the business side thus allowing a separate phone/data plan for the personal side.
  • The side be side approach is more in line with how Tal sees the end user’s non-split personality, but I imagine there could be legal issues for companies that want to remote wipe a device (in some country’s this is not legal).

There are a lot more advantages and disadvantages to each approach and I’m in the middle of picking them apart for the debate. I’d love to get your feedback though. What questions would you ask? What weaknesses do you see? What advantages to you see? I have informed both Citrix and VMware that I’m opening up the debate early through my blog so they will be listening for feedback here.

I’d really like to hear from you. Which approach do you think is best? Which is worst? Are they both wrong?

Comments appreciated!


Additional Resources

View Free, Relevant Gartner Research

Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.

Read Free Gartner Research


Tags: catalyst-na  

Gunnar Berger
Research Director
1 year at Gartner
14 years IT industry

Gunnar Berger is a research director for Gartner's IT Professionals service. He covers desktop, application and server virtualization ...Read Full Bio

Thoughts on Gartner Catalyst 2012: Is the mobile hypervisor the right BYOD approach?

  1. Tal Klein says:

    I’m not “against any approach where the end user notices something IT has done”, I’m against end-user productivity being detrimentally impacted by something IT does. To that extent I’m yet fo be convinced either vendor’s solution passes muster.

  2. Guise Bule says:

    The argument that a desktop user cannot adopt multiple personalities is a misleading one, generally advocates of this argument suggest that a user is completely unable to distinguish between a ‘work’ environment and a ‘personal’ environment.

    This is true as Tal will tell us, he tells me that has conducted exhaustive studies around this subject (evidence please) and found that users are completely unable to differentiate between work and personal environments.

    I would argue that exhaustive studies around this phenomenon only serve to reinforce an argument rather than to discover the truth of the matter.

    The truth is that users CAN easily distinguish between two separate environments quite easily if we change the labels slightly.

    Change work and personal to ‘safe’ and ‘unsafe’ and users intuitively know which environment to use, they understand which tasks should not be undertaken in an unsafe environment, but more on this in a moment.

    We do not need to inflict multiple personalities on users and this is one of the most misleading things about the argument Tal advocates, he suggests that there is no other way and that users personalities must not be separated because to do so “is not holistic and forces people to work in a different context because IT says so with no added benefit to the end-user. It’s contrary to how we interact with our computing devices, especially phones and thus destined to fail.”

    VERY misleading argument indeed.

    He is basically saying that because we have always done things a certain way, any attempt to change the way we work is doomed to failure, but thats not at all true.

    Tal is attempting to justify Bromiums business model falling perfectly in alignment with Microsofts strategy to extend their desktop monopoly, at a time when we are moving away from the notion of a traditional desktop PC running a traditional operating system.

    He advocates the old over the new because this is the way we are used to interacting with our computing devices.

    If it were true then we would all still be using a pencil and paper instead of tapping keys. We do adapt to new ways of working, we all used to hate the Windows GUI and generally we preferred a command line, but look at us now.

    No, if something works better then typically we embrace it.

    Users (like humans) are an adaptable species, even when they do not instinctively enjoy change from the familiar, they we get over it quite quickly and in a short space of time everything becomes familiar again.

    A completely separate environment gives us a powerful tool and benefits that we have not raised in this post yet.

    I think before discussing this, we have to take a look at what it is about user behaviour that causes us so much pain. This is an easy one, its users using the internet and this is what Tal believes he is an expert in and the problem that Bromium claims to solve.

    Malware, advanced persistent threats and organized cyber-crime, either state sponsored or conducted by private operators is the biggest problem we have in IT.

    The growing number of attacks on our cyber networks has become, in President Obama’s words, “one of the most serious economic and national security threats our nation faces.”

    The key to fighting this threat is to identify the kind of user behaviour that opens the door to these kinds of attacks and either stop that behaviour, or push that behaviour onto a platform built to handle the risk.

    This is not a conversation about technology, it is a conversation about the mitigation of risk onto platforms best suited to handling that risk.

    This is the way an increasing number of security-conscious organizations such as the National Nuclear Security Administration (NNSA) is fighting the problem of cyber-attack right now.

    The key is not inventing yet more magic tech (ahem Bromium), but doing something very simple using tools we already have.

    Quite literally turn off the internet on your internal (and highly secure) desktop infrastructure and provide your employees with a second desktop (ideally non-persistent) for all of those internet facing activities.

    This is common sense, we need to alienate the offending behaviour and isolate it onto a non-essential platform.

    This second desktop platform needs to be physically separate from your own infrastructure, so that when it is breached the attack occurs as far away from your internal networks as possible.

    By forcing users to only access the open internet on a second desktop, hosted on a platform built to handle the risk, you are able to significantly reduce the attack surface of your organisation.

    This is the model being embraced by the people who protect our nuclear weapons and it aligns perfectly with the goal of information security being able to provide the least probable attack surface.

    We need to start thinking outside of the box in order to arrive at solutions like this, ones that really address the root cause (user behaviour) and develop ways to segregate this onto platforms best built to handle the risk.

    The solution I describe above was not dreamt up by information technology professionals such as yourself with decades of experience in the IT space, it was formulated and executed successfully on a very large scale by cyber-security professionals who understand the mitigation of risk.

    It is through understanding risk and then taking steps to best deal with this risk that empowers us to create more secure solutions.

    Throwing more technology at the problem is not an option, we already hold the solution in our hands but sadly it does not align with Microsofts strategy of ‘one PC, one OS’.

    Multiple desktops and especially those based on VDI are not what a lot of people in the tech world want to see, primarily because they are employed by the ecosystems of people who have a vested interested in maintaining and extending the status quo.

    This is why we have people like Tal spreading FUD about VDI vendors who preach security and why Bromium is so convinced that we need to stick to the Microsoft approved plan of a never-ending desktop monopoly.

    It all comes down to a bunch of millionaires siding with billionaires in order to perpetuate the flow of riches to the detriment of those of us who actually use and manage desktops.

    Bromium will lock us into single-user, persistent desktop operating systems that are firmly welded to a fat PC.

    I ask you, are these really people we should be trusting to have our best interests in mind ?

    NO. Doubly so when it comes to security.

  3. Dan Shappir says:

    I think users can be expected to separate between work and personal activities and tools. We do it every day in the real world, we should be able to do it in the virtual world as well. For example, having separate mailboxes for work and personal stuff already comes naturally to most users.

    That being said, the VMware model appears to me to be a nonstarter, regardless of technical merit, if they can’t make it work iOS. If they are able to get it to work, I actually see some value in the complete separation it creates between environments, each of which is fully contained.

    The Citrix model of doubling all my apps in the same environment – two email clients, two browsers, etc. – is less appealing to me, but has the great advantage of working on iOS.

    Why don’t you think remote wipe isn’t possible in the Citrix model. Correct, you can’t wipe the entire device, but you could certainly wipe stored business data (which should be encrypted anyway).

  4. Tal Klein says:

    Allow me to reshape the argument for a moment: Let’s flip this on its head and ask ourselves what is in the best interest of the users instead of what best serves IT. Even if we presuppose that my initial point is invalid, as you say.. Then I ask you: What’s in it for the users? Why should they use Horizon or Cloud Gateway when they can likely work around both using existing tools available for free/cheap on the web/AppStore without jumping through IT’s hoops.

    It’s time for IT to wake up to the fact that when they say “our way or the highway” many users are choosing the latter without bothering to phone home. Call it CoIT, BYOIT, FUIT… Brian called it the end-users’ Arab Spring, maybe that’s an overly dramatic metaphor, but it cuts to the heart of the matter: Mr. IT: You’re not the boss of me.

  5. Gunnar Berger says:

    Hey Dan,

    Remote Wipe is possible in the Citrix solution, but as you said it would just be the apps. Maybe that’s enough, maybe not. I’m not trying to make a point one way or the other, really I was just trying to give an example as a springboard for conversation. If you have a better example I’d be happy to update the blog post with it (I didn’t like it that much either but wanted to get the conversation started).


  6. Dan Shappir says:


    I would just say that if, for sound business reasons, I need to have two separate personas on my device, I personally prefer the VMware approach of making a clear and distinct break. Assuming, that switching between personas is easy, and the distinction between them is visually clear. And assuming that it works on iOS.

    Ideally I would prefer the “magic world” Brian Katz described in the recent CoIT podcast, where all data is encrypted and tagged, and all apps recognized that tags and behave appropriately. I think he called it MIM. Unfortunately I don’t see this happening any time soon.


  7. Dan Shappir says:


    I think the relationship between IT and users must include education and also a bit of fear. Not fear from IT but fear from HR, or the boss or regulators. It’s like driving: I don’t like stopping at stop signs – it wastes my time. But I do it anyway because: a. I understand the reason for it b. I’m afraid of the consequences of being caught not doing it.

    IT needs to put as few roadblocks that it can, but when a certain inconvenience is required, it should be properly explained to users (“don’t put corporate data on Dropbox because our competitors can get it”). And if afterwards a user deliberately breaks the rules – sanction that person.

    Obviously this approach can only works if the users see that IT is doing everything in its power to remove unnascary roadblock.


  8. Simon Crosby says:

    Tal has it nailed. Guise Bule is utterly confused (still). Users may be able to distinguish between the pink virtual desktop and the green one, but so can the attacker. Where do you think, Guise, will the attacker send the email that will convince you to click on it? That’s right, your work email.


  9. Guise Bule says:

    Tal has it nailed 🙂

  10. Guise Bule says:

    I forgot to mention that in the model I describe, the local machines on your internal network have zero access to the outside internet and this covers personal and work email.

    There is no email on the local desktops Simon, users are not allowed internet or email on their local desktops, the ones that contain all of their secret stuff.

    For sure it causes a some small inconveniences in terms of sending files to each other using email is concerned, but good workarounds have been built, the benefits hugely outweigh the inconveniences and users easily adapt to the new system.

    Users intuitively understand the internet is the wild west and they happily use a second desktop if it means they get unfettered internet access and that their stuff stays secure.

    Worth noting this is a model that has been used by many thousands of users in major Federal instituions for over two years now in full production, its a solution that has been around long enough for us to have measured its worth.

    Can Bromium say the same ?

    You must know this and I think this is why Tal so ineptly is driving some kind of dark marketing against VDI on blogs, at live events and in general, you need to rein him in before he makes you look bad.

    Corruptio optimi pessima.

  11. Andrew Wood says:

    The right approach for what? Enabling? Managing? Adding COst to? Removing cost from? I think with “mobile hypervisors” you’ve an answer, but what was the question?

    In terms of BYOD – aside from the often far reaching personnel aspects – can you push your apps to those devices (from a license/operation perspective); can those devices be trusted with the data they are working on (will they lose/corrupt it); can those devices be trusted to operate on your network (will they introduce malware or expose access that in turn exposes/loses/corrupts data & or services)

    Fundamental problems are – hypervisors aren’t really security tools in themselves – they are a management tool; the proliferation of consumer IT has granted power without responsibility; more importantly the threat isn’t cybercriminals – its the users themselves, it is far more likely Maurice in accounts will lose/corrupt his data than a hacker hack it. And, it is a consideration de jour that foisting IT provision to the user will ergo reduce operational costs, and increase productivity…. when really – really?

    There are a subset of users (the size of the subset defined by a locality of view) who perceive and expect that all data that they access belongs to them: this is not the case. Yet, at the same time, many organisations are actively looking to use data out and beyond their network – to reduce costs, to improve productivity. Either way – it is no longer simply going to be corporate owned PC asset delivery.

    The goal/purpose of IT should be to manage the business’ technology so that the business data is protected – protected from loss, protected from corruption. It is not uncommon for IT to be blamed for “being slow” when in fact IT is often going “hang on -you want to do what, with what now” – the corporate equivalent of “I’m not so sure running with scissors is a good idea”. There is a difference between the safeguarding of an Angry Birds high score, and the company’s projected future earnings.

    Mobile hypervisors do let application developers deliver apps faster and offer a level of management. Not security per se – but management. Questions I’d put to Citrix & Vmware is – do you anticipate that users will let corporates manage their device? How will that requirement be reto-fitted into employment contracts? If your strategy only encompasses certain models of device, certain operating systems is your perception that users will accept that restriction..because the reason we’re in this place is the answer is “no”

    A difficulty that XenClient has, (as citrix’s ‘mobile hypervisor) is that it sits below the OS. If I bring my laptop in, that gets wiped. Sure I can run my own environment & that can be unmanaged – but there is an underlying component I no longer have control over. Unless laptop suppliers supply xenclient. A question for citrix – is that going to happen? If it did will I want that & who has ultimate control of that state? At the moment – if its corporate, thats it – you’ve signed your laptop over. Happy with that? Great for corporate devices, not a good BYOD platform.

    Horizon suffers in a different way its a type II yes? But at the same time – requiring users to shift between environments is clunky and not ultimately what they want. Most importantly it is not ubiquitous (its not going to run on an iphone, whats the mean time for a new device coming out and supporting this) and as a punter – will I be happy that my environment’s performance is impacted by the business environment also running on my device, draining my battery, using my storage? …and how does it solve the fact I’d like my mobile data interaction device to be a laptop, not a phone.

    Both solutions suffer from not properly supporting the ubergeek love devices that Apple produce. While that is maintained, there will always be a gap – what are both organisations doing to remove that gap?

    For BYOD to succeed, there needs to be a seamless integration of your personal workspace with your corporate apps & data (within security reason as defined by the corporate *not* IT). Who really takes two bottles into the shower anymore?

    There are indeed labelling technologies as Dan mentioned – janusnet for instance – very good, others are available. They work very well from greenfield – they are complex to retrofit in – and it is a major undertaking to ensure that labelling is correctly maintained by users – for all the reasons Dan mentioned.

    How do mobile hypervisors solve *that* problem? They don’t really. Citrix would argue flexcast works here – and it does until I’m out of range, or out of mobile data usage credit.

    Bromium are one of a new breed who are looking to resolve a particular security problem – go them. But there needs to be data security (likes of ciphercloud for instance) and a whole “management” on/off boarding- where is that coming from?

    mobile hypervisors just don’t quite cut it for meeting the challenges of BYOD indeed I think they’re answering a different question.

  12. Guise Bule says:

    I would like to point out that we tend to become victims of our own hype and that BYOD and FUIT is nowhere near as prevalent as we may think or led to believe by the Madden family and Tal.

    Sure BYOD is happening, but lets not get carried away.

    In secure environments where security matters, nobody is circumventing IT or bringing their own devices, things are pretty locked down as far as they can be and employees know they get dismissed for such behaviour.

    BYOD and FUIT happens, but its not happening half as much as you may think.

    Or am I just crazy and its REALLY the Arab spring out there ?

  13. Gunnar Berger says:

    BYOD is happening but I agree with you Guise, its not the number one issues that drives companies. I think general “mobility” comes before BYOD, after all if you don’t have a good mobility solutions BYOD doesn’t really work.

    I do want to point out that these comments are getting off topic. This is supposed to be about the “mobile hypervisor” so iOS, Android, maybe Windows RT. This is not a full BYOD discussion, I too have major issues with BYOD and have another blog already done (but not posted) discussing my issues with BYOD.

    Also, I understand Simon/Tal have their motives for what they say, but who cares about the motives, a different point of view is welcome as far as I’m concerned. I’d welcome a Citrix and VMware fan to get on here and defend their position (again regardless of motive).

    If can can pull this back from the full BYOD conversation, I’d like to understand what is being said against the Citrix approach. I’ve heard a lot of negative on the hypervisor approach and some strong arguments for this, but no one is talking about how Citrix apps sit next to personal apps. That’s a very different approach and even in Tal’s arguments against the split personality, I don’t see those arguments negating the Citrix approach.

    Another question: The mobile hypervisor approach supports multiple phone contracts on the same phone, is this a good thing? Would business like this? Would consumers who carry two phones prefer this? I have a hard time commenting because I carry one phone.

  14. Brian Katz says:

    Multiple personality is just another way of saying Legacy thinking because the business doesn’t want to look at the right way to handle how people are now going to work. Business has been predicated on always owning the asset so they don’t have to worry about protecting their data etc. While other solutions may require more effort to perform properly, business looks at it only one way. I have to own the device. VMware and Enterproid are predicated on creating a machine in which the business again gets to own the device (the virtual container).
    While Guise likes to think that people are happy to use 2 environments, we are trained to use one. The whole BYOD movement is based on the fact that people don’t want to separate their devices, whether physically or virtually. Can they use it that way, sure. Does it take effort, of course. Will it solve the problem, not really. When the person makes his 1st call on the work side, or does work on the first time on the home side you have already failed. This isn’t taking into account that your users have already stored some of your corporate data in dropbox, box, sugarsync, skydrive, icloud or whatever so they could work on it when it was convenient for them.This happened before they even got to the phone or the tablet.
    The proper approach is to use MIM (Mobile Information Management) and the stepping stone to get there is through MAM (Mobile Application Management). When you do this properly it doesn’t matter where your data is because it is always encrypted and the security and policy follows that data, regardless of where it is.

  15. I think a mobile hypervisor is an unlikely future…thankfully.

  16. Dan Shappir says:

    First, I would like to point out that I, at least, was simply trying to answer Gunnar’s original question as I understood it – which approach do I prefer: Citrix’s (business apps sit side by side with personal apps) or VMware’s (they are in completely separate environments)? My answer was: if I have to have two of everything – two email clients, two browsers, etc. – then I prefer two separate environments, because I will be less likely to be confused, and use the wrong apps.

    I also stated that any solution which doesn’t support iOS is irrelevant in my book.

    Second, as I wrote, I would much prefer NOT to have two of everything. MIM – as Brian Katz described – is the way to get there. Give me MIM over app/environment duplication any day. Unfortunately I personally have little faith in seeing MIM happening any time soon. MIM is, in my mind, like DRM for enterprise information, and DRM has failed.

    I do see BYOD happening. At the recent BriForum Chicago EVERYBODY was using an iPad, and the question of whether or not they were personal or company owned is almost immaterial. What matters is that people are using these iPads at both office and home for both work and personal stuff.


  17. Andrew Wood says:

    but Dan, it isn’t really about the apps, it is about the data.

    For sure you can use Citrix’s application publishing model to keep your business applications logically separate from your personal apps. What I’m finding is that increasingly users (and these tend to be senior c-level users who hold the money, not fresh faced newbies) don’t want separate applications holding separate data. They don’t want two calendars they want one, they don’t want two email clients they just want to use email.

    So a ‘logically separate app’ instance tends to be of more use when it has no equivalent personal use (a database app for example). A major problem with the remoted delivery model is it relies on connectivity – and connectivity isn’t ubiquitous. Maybe this time was different,but Briforum’s internet connectivity typically sucks (other conferences where wifi sucks are available). tablet/smartphone users expect to turn on a device and work/play – having a remoted app doesn’t consistently deliver that.

  18. Dan Shappir says:


    Connectivity was actually good at BriForum Chicago, which was fortunate for me because one of my sessions and all my demos were online. Maybe this is an indication that we are on the verge of ubiquitous connectivity …

    Also, I do work for a company that provides remote access solutions (Ericom). This means that I do see lots of value in remote access and centralized computing. Otherwise I wouldn’t work there. For example, during the past several months, my laptop has effectively become tethered to the desk in my office. I use our software to connect to it remotely from an iPad, Chromebook, desktop, etc. and it works great. I do admit that I don’t like connecting from smartphones.

    That being said, I don’t think the original question was about locale vs. remote. Both the Citrix and VMware solutions that Gunnar discusses in his original post are about local device and app management (OK, the Citrix solution also does remote – but that wasn’t the focus I believe).

    Finally, as I myself have stated “I would much prefer NOT to have two of everything”. Good for you if you can use the iPad’s built-in email client for both work and private emails. But if you can’t, currently I don’t see an alternative to some sort of dual environments.


  19. Gunnar Berger says:

    See there is one thread here that I don’t get. I don’t use one email client for my business and personal. I use Outlook for my Gartner email, and I use gmail for my personal email. Personally I like this very strong separation, because I have used Outlook for both before and I didn’t like it. I like each thing having their place. I don’t think I’m the same as every person out there, but I do think its worth noting that in some areas separation is preferred.

  20. Gunnar Berger says:

    Another instance of separation. I use Twitter for business (and I might throw in some personal but its rare). Whereas Facebook is primarily personal (but on rare occasions do some business). So my social media has a very fine degree of separation.

    I would agree that its nearly impossible to keep all business just business, and all personal just personal. IE, I would imagine most of us have our emergency contact number as our business phone not our personal phones. But this is for rare occasions not every day use.

  21. Brian Katz says:

    Gunnar – when you are on your device though – do you used a combined inbox or a separate client for each inbox. It’s not a question of the background cloud service but what you have to do to get the data. I have a twitter account for me and for my website – but I only want one twitter client. I have multiple email accounts but I prefer looking at 1 inbox most of the time. Do you want 2 versions of Word to look at work vs personal document or just one?
    People use dropbox and all so they can live with one client
    Dan is correct – previous versions of DRM failed but they were always tied to the type of documents or built-in app solutions (seriously – have you ever tried to set up Microsoft DRM – there is no bigger fail) What makes MIM work is that it is ubiquitous and doesn’t depend on the document but handles all the data. This will require the maturation of MAM and then an open standard for putting those MAM capabilities into all apps.
    Whomever figures out MIM (and yes you need identity with MIM) wins. Multiple personality will always lose.

  22. Andrew Wood says:

    @dan, I’m not saying remoted instances are always bad – desktop virtualisation keeps my children in shoes – just that the experience is different from a mobile device perspective. If we consider that “the browser is the future” the latest raft of tablets and smartphones tend to rub against that trend by having apps and data managed and installed locally.

    It doesn’t appear much of a heartache, and indeed it is a logical separation if you have 2 email clients – one for work, one for home. However I regularly work in environments where the desire is to have a consolidated view of mail and messages. On a personal level – I’m a consultant – three or four outlook instances delivered supporting each client’s mail service would not be pretty. As organisations increase their collaboration with other organisations users are increasingly exposed to multiple environments. Do you exponentially increase the apps/vm instances on each device – or do you look to aggregate them in some way that the user becomes accustomed to? In a way that is happening now – I can use Dropbox, or Sharefile, or Hyperdrive or Teamdrive or Oxygen and later in August I can add DataNow. If IT delivers complex solutions users just don’t play ball: that’s how we got here.

    There’s also a difficulty (I think) in the direction that citrix’s receiver is taking (in its mobile app/data delivery) – how will it scale out to support a range of organisations delivering data to an individual – would that app/data delivery be better served with a lighter more widely supported client.. say based around html5?

  23. Tal Klein says:

    Gunnar – You’re making the mistake I warned about. You are imagining yourself as the end user. You need to imagine someone either much less tech savvy or much less cognizant of privacy.

    I use my mother as my go-to for the first. She would never understand the separation between gmail and outlook unless I went to great lengths to explain it to her, and even then I’m not sure she’d bother maintainibg two inboxes for the sake of privacy. She uses her work email as her only email address, if she changed jobs then her email address would change, just like a phone number. Her only mobile phone was issued by her employer. Try to explain to her that her phone has two zones, personas, etc. and she’d likely tell you to go sit on it.

    I use my sister as my go-to for the latter. She makes no distinction between Facebook updates and Excel formulas. She plays Restaurant Wars while waiting for SAP to run queries. She texts hers friends about dinner plans and then her boss about M&A from the same device in the same app. She consolidates all email accounts in her iPhone email app, in a single stream. Ask her to seperate those and she’ll throw the phone in your face.

  24. Gunnar Berger says:


    Believe it or not I use two completely different clients. Outlook for business and Gmail (i like the HTML5 offline client) for personal. I like a very strong separation. IN this case I’m okay with both the VMware and Citrix approach.

    However, your point on Word is well taken. I would not want to versions of Word.


  25. Gunnar Berger says:

    I think there is a misconception here of the Citrix approach. Yes it supports remote app delivery but that’s not the full answer. I’m walking a fine line because I don’t know what is public and what isn’t but the Citrix approach is not just about remote app delivery, its about manage local or remote apps. Need to see if I can get a Citrix rep to join this feed, stand by.

  26. Gunnar Berger says:


    I completely agree with you on one point. I know that my mistake in much of this is seeing it from a technical stand point (that’s why I opened up this conversation) I want a more holistic view.

    That said, I’m still not sure I agree. My parents and wife are not very technical and I see them going into many different compartments, not just business and personal. In my wife’s case: OWA for business, some jacked up student email service with a clunky web interface, and her gmail account for her personal. Not saying she likes it, but it is what it is and she doesn’t question that.

    In my wallet I carry a business credit card and a personal credit card. It is important and beneficial to keep these separate. The more I think about it the more I think that we DO live in worlds of separation and in some cases this is a good thing. In other cases its not.

    My file cabinet has different folders for personal stuff and business stuff, its not one folder of everything.

    My home office is a disaster of lab equipment all over the place, if this went outside of this office my wife would kill me. I don’t have my lab stuff sitting in my living room.

    I’m sure there is some flaw to this argument, so hit me with it. 🙂

  27. Andrew Wood says:

    Ultimately, it is easier & faster when you have 1 app that you are comfortable with and know letting you access to all the information and do the tasks you want to do.

    Yes you can have multiple apps doing the same thing – sometimes it works (but is clunky) sometimes it doesn’t (like with Word)

    Citrix’s solutions was to provide you with a client on your device – then remote to applications elsewhere. They’ve extended that solution by (re)introducing XenClient, there is the concept coming of managing deliery of mobile apps (I believe). There is a distinct separation of work apps and home apps.

    VMWare’s solution is to provide a hypervisor on end devices. essentially doing the same thing.

    What both options are ignoring ..actively (under the remit of ‘security’/ or passively ( under the remit of ‘anything else is hard’) is that complete isolation is not what a lot of people are expecting – the wider user community is essentially Tal’s family. Citrix and VMware appear to be like many IT dpts saying “tough, do it our way” – and I don’t think that is sustainable.

    Its even less sustainable when you consider no mobile hypervisor works (yet) on iOS.

  28. Tal Klein says:

    Gunnar – I still think you’re not getting what I’m getting at. It’s not my family vs your family, it’s about satisfying the needs of the user.

    Your proposition is that it’s OK for IT to inconvenience users because they are used to being inconvenienced. That doesn’t work for me.

  29. Guise Bule says:

    There is no real flaw in your argument about separation and compartmentalisation unless you use the American spelling 🙂

    We are human, placing things into separate boxes so that we may best understand them is second nature to us as human beings and part of the human condition.

    You are right to want to step away from this conversations technical viewpoint, when human nature and the risks associated with our behaviour are being discussed we can only take the holistic view.

    Just because we are brilliant at compartmentalising things in some ways, we suck at doing exactly the same thing in other ways.

    Considering how smart we can be, bizarrely we can be really stupid at the same time and Tal is completely correct when he says that no matter what we do to educate a user, they will always do personal stuff in their work environments and work stuff in their personal environments.

    We are too stupid to compartmentalise things labelled ‘work’ and ‘personal’ and things need to be taught in a way that we can understand.

    What we do instinctively understand is fight or flight, safe or unsafe and when you label two distinct environments ‘safe’ and ‘unsafe’ users intuitively work it out and fluidly adapt.

    We can quite easily be taught that some of our behaviour carries risks and that these risks have very real consequences, we can easily learn how to mitigate against risk.

    Convenience is a fickle and demanding mistress, if you feed her she will always become greedier and we have indulged her to the point that FUIT has become acceptable.

    Tal and Simon view this subject (as do I) in the context of security and rightly so, we really need to stop focusing on management, mobility and focus on security first.

    In case nobody had noticed, Rome is burning and we are fiddling.

    I am constantly appalled at the common perception that we are much more likely to corrupt data and lose our laptops than have a hacker take something from us, whilst this may be a truism is does not forgive the negative perception that security comes second to management.

    It must become fashionable again to look at everything from a security perspective, we must foster a mentality that promotes security mindedness over the practicalities of things like the economics of user density and the mechanics of application management or delivery.

    Bromium have not been fiddling whilst Rome burns, Simon quite possibly has the solution to address our most pressing concerns and I sincerely hope that he does for all of our sakes, I just take issue with the wisdom of their current focus on VDI but I am in complete agreement with them on key issues.

    What we should be doing is looking at this subject in the way Simon and Ian have been doing, ignore all else, focus on human nature, the inherent security that good architecture design can bring and the most obvious flaws in our digital environments in terms of risk.

    If we must separate one thing from another in a way that benefits us, lets separate the kind of behaviour which causes us the most pain and compartmentalise it somewhere it can not do much damage.

    On the subject of the separation of personalities in multi-tenant, multi-user environment, who amongst us can say that we can securely achieve a true separation ?

    As Shawn Bass is advocating in his recent post on the subject, security driven by correctness of code and obfuscation is doomed to fail and only security driven by isolation is only ever really effective.

    I would argue that true isolation, true separation of ‘stuff’ in our digital connected world only occurs through physical separation and also that we are only effective at separating things when we understand them in terms of risk and reward, fight or flight, safe and unsafe.

    You are talking about the wrong kind of separation gentleman and you are talking about separating the wrong things.

    I urge you all to engage with the notion of ‘security first’ in everything we do and to focus less on the technologies involved and more on the risks we expose ourselves to and how best to mitigate against them.

    Lets separate the bad risk away from our good stuff first and then worry about how we can best manage something later, lets also start taking security seriously before the lapse in our thinking hurts us badly.

    A fatal human tendency we all share is the inclination towards complacency unless something deeply affects us and our immediate circles in a negative way.

    Gunnar, you are in a position where you get to speak to a myriad of different customers using technology out there.

    You must have come across several who have been quite badly mauled by cyber-attack, would you say their primary concern when viewing technology solutions is management or mobility ?

    I believe that one day we will wake up and realize that despite our focus on management, mobility, BYOD and FUIT, the infrastructures we build will be underpinned by the architectures designed by those who focus on nothing but security.

    This is because the stakes are too high in the real world, because you choose to focus to much on the possibility that you could be attacked, because you are cushioned by the luxury of not having suffered serious personal, financial, intellectual or emotional loss from cyber-attacks.

    This is human behaviour and to be expected, but not excused.

    You guys fiddle all you like, security of end user computing is the new topic of conversation and one that will determine the fate of this thing we call the desktop and that other thing we call the cloud.

    I shall stand guard and watch over you all in the meantime and help keep Tal honest until we begin to talk about the really important things.

  30. The driving force of CloudGateway’s product definition is to enable employees to be as productive on the go as they are in the office by delivering all of their apps and data to any device, anywhere. We fully embrace the BYO megatrend and have designed our products based on the competing forces of end-user delight and the need for IT to protect their IP and digital assets (security). For the record, Citrix’s CloudGateway2 solution does not use a type 1 or type 2 hypervisor on the device. Rather, our approach is based on securely provisioning native mobile enterprise apps via a container technology and managing them via policies that are surfaced in the CloudGateway console.

  31. Gunnar Berger says:

    Thanks for jumping in Tobias. For those of you reading these comments, Tobias will be the Citrix rep on stage during this debate. I asked him to jump on the blog and clarify Citrix’s product offering. Thanks Tobias for being willing to do this.

Leave a Reply

Your email address will not be published. Required fields are marked *

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.